This policy applies to: (a) use of Cloudinary’s websites (Cloudinary.com and any of its subdomains), including any information provided through registration and contact pages; (b) our marketing activities including, registrations as part of webinars, conferences, events, demo requests, emails etc.; and (c) information and data provided as part of your use of the Services following a subscription to the Services via our website, whether as a free or a fee-based account.
If you purchased subscription to the Services, by executing an order form with Cloudinary, the information collected through your use of the Services is processed under the terms of our Data Processing Agreement (“DPA”).
The summary of this policy highlights important elements of our privacy practices. Please take the time to read our full policy.
Personal Information You Provide
We receive and store any information you enter on our website or provide us in any other way. If you register with the Services, as part of registration and for notice purposes, you will be asked to provide your name, your company name, email address and password, and your payment details to process your payment for the Services. We further receive any Personal Information that you provide when contacting us. Read More ->
Personal Information We Collect
We use “cookies” and obtain information when your browser interacts with our websites. We automatically log ‘traffic/session’ information such as the IP address that your device uses and your browser or operating system identifiers. We collect session durations and additional activity and usage information. Read More ->
Personal Information Uploaded to the Services
As part of your use of the Services, you may upload content such as images and other media to the Services containing Personal Information. Please use caution and do not upload personal information related to others without their knowledge and approval, and do not upload any intimate and sensitive information. Read More ->
How Personal Information is Used
We use Personal Information to provide and maintain the Services, make it better and continue developing it, and protect us and the Services from misuse and law violations. Read More ->
Sharing Personal Information with Others
We will share Personal Information only subject to the terms of this policy, or subject to your prior consent. We use service providers and partners to support the Services that we provide, for example, to process payments, to understand user behavior on our Services and to send messages. We also share Personal Information with our affiliated companies and when we change our corporate structure. Read More ->
Transfer of Personal Information
We use cloud-based services to store, process and access Personal Information in the European Union, in the United States and in other regions to support our Services. These service providers provide us adequate privacy, security and confidentiality commitments. Further, we participate in the
EU-US Data Privacy Framework, as set forth by the US Department of Commerce. Read More ->
Your Rights Under Specific Laws
Specific chapters under this policy address additional disclosures related to our processing and use of Personal Information under the European Union data protection laws and the United States consumer privacy laws, applicable specifically for residents of the EU or US. Read More ->
If you have any questions about this policy or believe that your privacy rights are compromised, please contact us at: firstname.lastname@example.org.
Personal Information You Provide
We receive and store any information you provide us when you access and use our Services.
When you sign up to our Services through our website at: www.cloudinary.com, or through a separate subscription agreement with us, then as part of such registration we will ask you to provide Personal Information, including your name, your company name, your email address and to set a password. You can also sign up with your existing account with third parties such as Google or Github, and in these cases we will use your credentials with these services to sign you up.
If you subscribe to a paid account of the Services, we will receive your payment transaction details (for example, your name, the amount paid and the date of payment), from the payment service provider that processed your payment. We do not receive or process the details of your credit card or other payment method that you use to pay for the Services.
When you contact us, or when we contact you, we will receive and process any Personal Information that you provide us.
Personal Information We Collect
We use “cookies” and obtain information when your browser interacts with our websites. For further information about cookies, please see our Cookies and Similar Tracking Technologies Policy.
Examples of the information we collect and analyze include the Internet Protocol (IP) address used by your device to connect your device to the Internet and automatically sent by your browser to our Services; login details; e-mail address; password; device and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform.
When you use the Services, we collect information about your activities, for example, your log-in and log-out time, the duration of your Services’ sessions, the content that you have uploaded and downloaded, viewed online-pages or specific content on online-pages, activity measures and geolocation.
Personal Information Uploaded to the Services
You have control over the content that you upload to the Services, whether from your personal device or from a cloud-based hosting service.
PLEASE NOTE THAT CONTENT UPLOADED TO THE SERVICES IS DESIGNATED BY DEFAULT AS PUBLIC AND WILL BE ACCESSIBLE TO OTHERS, INCLUDING VISITORS OF YOUR WEBSITE AND WEB APPLICATION. THEY ARE NOT DESIGNED TO HOST INTIMATE AND SENSITIVE INFORMATION OF ANY KIND.
PLEASE USE CAUTION WHEN UPLOADING CONTENT AND AVOID ANY INVOLUNTARY DISCLOSURE OF PERSONAL INFORMATION, DISCLOSURE OF SENSITIVE PERSONAL INFORMATION, OR DISCLOSURE OF PERSONAL INFORMATION RELATED TO OTHERS WITHOUT THEIR KNOWLEDGE AND APPROVAL.
How Personal Information is Used
We use the Personal Information we collect and receive to provide the Services to you and to other users, to enable the Service’s tools and features, to study and analyze the functionality of the Services and users’ activities, to provide support, to measure Service activity for pricing purposes, to maintain and support the Service, to make it better and to continue developing the Service.
We will use your email address to contact you when necessary, to send you reminders and to provide you information and notices about the Service. We will include commercial and marketing information about our Service and related services to the Cloudinary platform.
Please note that by registering for our Services or creating an account, you will be receiving different communications from us, including marketing materials. If required by law, we will ask for your explicit consent for sending marketing communications. Please refer to the “Your Choice” section below if you wish to opt out of receiving marketing communications.
If necessary, we will use Personal Information to enforce our terms, policies and legal agreements, to comply with court orders and warrants, and assist law enforcement agencies, to collect debts, prevent fraud, misappropriation, infringements, identity thefts and any other misuse of the Service, and to take any action in any legal dispute and proceeding.
We commit to process Personal Information solely for the purposes described in this policy.
Sharing Personal Information with Others
We do not sell, rent or lease Personal Information. We will share Personal Information only subject to the terms of this policy, or subject to your prior consent.
To support the purposes of using Personal Information under this policy, we will share Personal Information with service providers, business partners and certain other third parties, including:
- Operations service providers that, for example, host and back up content, provide analytics related to the use of the Services, authenticate and secure log-ins, log activities, manage our production and development activities, operate our systems, networks and databases, and enable cyber security and fraud detection and prevention.
- Payment service providers – we will share your payment transaction details to process and verify your payments.
- Communications and marketing service providers, for example, we will use a service provider to manage our email messages transmission, engage local resellers to provide our Services to you in a local language, or for enriching user data in order to improve your user experience.
- Our affiliates within the Cloudinary group.
- Law enforcement, courts and other agencies, authorities and other relevant entities. We will comply with court orders, search warrants, regulatory orders, subpoenas, and provide information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We will also report uploaded content and shared Personal Information , if we have a good-faith belief that the content, or the sharing of the content is illegal, abusive or violates third-party rights.
- Other entities as part of a merger, acquisition or any other corporate structural change.
Cookies and Other Tracking Technologies
We also use standard analytics tools such as Google Analytics, to learn about how you and other users use the Service, in support of our Service-related activities and operations. The privacy practices of these tools are subject to their own privacy policies and they use their own cookies to provide their services.
As part of our business and Services operations, we de-identify Personal Information and use the data in a statistical and aggregated form. We will share it with our partners, affiliates and other third parties for legitimate business purposes. We make considerable efforts to ensure that such data is unlikely to identify you or be associated specifically with you.
We provide you with choice and control on how we use Personal Information in connection with various aspect of our processing, as follows:
Please contact us at email@example.com if you would like to stop receiving our newsletter or marketing emails.
At any time, you can unsubscribe from our mailing lists or newsletters by following the unsubscribe instructions included in these emails or by accessing our unsubscribe page.
Some internet browsers offer a “do not track” or “DNT” signals to indicate your preference for tracking your activities on a service or through cross-site online activities. These features are varied with no uniform or common standard adopted yet by industry groups or regulators. Therefore, our Services do not currently respond to DNT signals. We continue to monitor developments around DNT technology and the implementation of a standard.
Accessing Personal Information
If you find that the information on your account is inaccurate, incomplete or not up-to-date, please contact us at: firstname.lastname@example.org and provide us with the necessary information to correct it.
At any time, you can contact us at: email@example.com and request to access the Personal Information that we keep about you. We will ask you to provide us certain credentials to make sure that you are who you claim to be and to as required under applicable law, we will make good-faith efforts to locate the Personal Information that you request to access and provide you with a copy.
Following your review of the Personal Information you can request to correct, amend or delete Personal Information, if it is inaccurate, incomplete or not up-to-date, or if you believe that the processing of the Personal Information is in violation of applicable law.
We will use discretion and due care to redact from the data which we will make available to you, personal information related to others. Where you believe that content containing Personal Information was uploaded to our Services by a third-party user, please contact such user who uploaded that content with a request to remove Personal Information.
We retain Personal Information for different periods of time, depending on the purposes for processing the information, our legitimate business purposes, and pursuant to legal requirements under the applicable law.
For example, we will need to keep the information about your payment transactions for several years due to tax related requirements, for accounts settling, record keeping, archiving and legal issues.
We will maintain your contact details to help us stay in contact with you. At any time before or after the termination of your account, you can contact our privacy team at: firstname.lastname@example.org and request to delete your contact details. Note that we keep your details for the necessary period of time for legal requirements and proceedings, if and when necessary.
Content uploaded to the Services such as images, videos, text, graphics or tags, and any data which is contained in such content will be deleted following the termination or deactivation of your subscription to the Services, and Cloudinary will not be responsible for any backup or retention of your content. However, the logs which indicate your access to such data and are used to create metrics for usage and billing, such as CDN logs, will be retained to allow you to resubscribe to the Services.
We will keep aggregated non-identifiable information without limitation, and to the extent reasonable we will delete or de-identify potentially identifiable information, when we no longer need to process the information in an identifiable form.
In any case, as long as you use the Service, we will keep information about you, unless the law requires us to delete it, or if we decide to remove it at our discretion, according to the terms of this policy.
Transfer of Personal Information
We use AWS servers located either in the United States or in the European Union, depending on your location, and provide enterprise customers with the ability to restrict the hosting of their data to the European Economic Area (EEA). We process and access information, either directly or by using third parties such as data hosting service providers, in the European Union, the United States, the United Kingdom, Singapore and Israel. The laws of these territories may differ from the laws of the jurisdiction in which you live or conduct your business.
If mandated by law, you can obtain a copy of the suitable safeguards that we use when transferring personal information as described above or receive further information about the transfers by contacting us at: email@example.com.
Data Privacy Framework Notice
We participate in the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (“UK Extension”), and the Swiss-US Data Privacy Framework (“Swiss-US DPF”), as set forth by the US Department of Commerce. You can review our Data Privacy Framework registration at: https://www.dataprivacyframework.gov/s/.
We have certified to the US Department of Commerce that we adhere to the EU-US Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.
We have certified to the US Department of Commerce that we adhere to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-US DPF.
If there is any conflict between the terms in this notice or our policy with the EU-US DPF Principles (including the UK Extension) or the Swiss-US DPF Principles, the Principles will govern. To learn more about the Data Privacy Framework (“DPF”) program, visit the data privacy framework website here.
In accordance with the EU-US DPF, we commit to resolve DPF Principles-related complaints about our collection and use of Personal Information related to you. If you have any inquiries or complaints about our handling of Personal Information received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF (as applicable), please contact us at: firstname.lastname@example.org. We will do our best to respond to your inquiry as soon as we can.
In accordance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, we commit to cooperate (respectively) with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), as applicable, with regard to unresolved complaints concerning our handling of Personal Information received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF.
You may also decide to involve the binding arbitration option under the DPF, under certain conditions detailed here.
As explained under the section titled “Sharing Personal Information with Others” in our policy, we share Personal Information with third parties to perform services on our behalf.
When we share Personal Information received under the Data Privacy Framework with a third party, the third party’s access to, and use and disclosure of such Personal Information must also comply with our obligations under the Data Privacy Framework. We will remain liable under the Data Privacy Framework for any failure to do so by such a third party, unless we can demonstrate that we are not responsible for the event giving rise to the damage.
We are subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”).
Note that we may be required to disclose Personal Information related to you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We already adhere to the required commitments under the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework. We will rely on the UK Extension and the Swiss-US Data Privacy framework for applicable data transfers as of the date that they take effect.
We and our hosting services implement systems, applications, measures, safeguards and procedures to secure Personal Information, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of personal information.
These measures provide sound industry standard security. However, although we make efforts to protect your privacy, we cannot guarantee that the Services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.
From time to time, we will update this policy. If the updates have minor if any consequences, or if they are mandated by applicable laws, they will take effect immediately, or as required after we post a notice on the Service’s website or the notice through email. Substantial changes will be effective 30 days after we initially posted the notice.
Until the updated policy takes effect, if it materially reduces the protection of your privacy rights under the then-existing policy you can choose not to accept it and terminate your use of the Services. Continuing to use the Services after the updated policy takes effect means that you acknowledge our updated practices and agree to them.
We conduct periodical assessments of our data processing activities and privacy practices, to make sure that we comply with this policy, to update the policy when we believe that we need to, and to verify that we display the policy properly and in an accessible manner.
If you have any concerns about the way we process Personal Information, please contact our privacy team at: email@example.com, or write to us. Our address is published on our website at: www.cloudinary.com and indicated in your subscription agreement.
Processing Personal Information Under EU Data Protection laws
If EU data protection laws apply to the processing of Personal Information by Cloudinary, then the following terms apply in addition to the general terms of the policy:
If you are a data controller, then for the purposes of content uploaded to the Services, Cloudinary acts as a data processor, and Cloudinary’s Data Processing Agreement applies to such processing.
Lawful Grounds for Processing
Where we process Personal Data related to you, as a data controller, the processing is based on the following lawful grounds:
- We process your account and payment details to perform the contract with you.
- We will process Personal Information to comply with a legal obligation and to protect your and others’ vital interests.
- We will further rely on our legitimate interests, which we believe are not overridden by your fundamental rights and freedoms, for the following purposes:
- Communications with you, including direct marketing where you are our client or a user of our client, or where you make contact with us through our websites, Services or otherwise.
- Cyber security.
- Support, customer relations, service operations.
- Enhancements and improvements to yours and other users’ experience with the website and Services.
- Fraud detection and misuse of the websites and Services.
- All processing of Personal Information which are not based on the lawful grounds indicated below, are based on your consent.
Your Rights under EU Data Protection Laws
In addition to your rights under other sections in this policy, you have the following rights:
- AT ANY TIME, CONTACT US IF YOU WANT TO WITHDRAW YOUR CONSENT TO THE PROCESSING OF PERSONAL INFORMATION. EXERCISING THIS RIGHT WILL NOT AFFECT THE LAWFULNESS OF PROCESSING BASED ON CONSENT BEFORE ITS WITHDRAWAL.
- Request to delete or restrict access to Personal Information. We will review your request and use our discretion, pursuant to the provisions of the applicable law, to reach a decision about your request and respond to it.
- If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions of applicable law, you may request to be informed that third parties that hold Personal Information, in accordance with this policy, will act accordingly.
- You may ask to transfer Personal Information in accordance with your right to data portability.
- You may object to the processing of Personal Information for direct marketing purposes. Additional information about this right is available under the Choice section in this policy.
- You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affecting you.
- You have a right to lodge a complaint with a data protection supervisory authority of your habitual residence, place of work or of an alleged infringement of the GDPR.
A summary and further details about your rights under EU data protection laws, is available on the EU Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en.
Request to Exercise Your Rights
Note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will further ask you questions to understand the nature and scope of your request.
If we need to delete Personal Information following your request, it will take some time until we completely delete residual copies of Personal Information from our active servers and from our backup systems.
If you have any concerns about the way we process Personal Information, you are welcome to contact our privacy team and our EU and UK representatives at: firstname.lastname@example.org. We will look into your inquiry and make good-faith efforts to respond promptly.
Processing Personal Information Under US Consumer Privacy Laws
This section of the policy applies solely to users of our Service who reside in the State of California and other applicable US states. This chapter supersedes any contradicting provisions under the other sections of the policy.
This chapter also serves as a notice at collection.
The Categories of Personal Information that we Collect
In the preceding twelve (12) months we have collected the following categories of Personal Information:
- Identifiers and Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, email address and IP address.
- Commercial information, such as payment details.
- Internet or other similar network activity.
- Geolocation data.
- If you use of the Cloudinary media management platform service as an individual user and not on behalf of a Business, then we will collect and process any Personal Information embedded in the content that you upload to the platform.
- Inferences drawn from other Personal Information.
Categories of Sensitive Personal Information
Our Services are not intended for Sensitive Personal Information. We do not knowingly collect Sensitive Personal Information, and we require you not to use our Services or provide us with any such information.
We do not collect or process Sensitive Personal Information for the purpose of inferring characteristics about you and we do not sell Sensitive Personal Information or share Sensitive Personal Information for cross-context behavioral advertising.
For the purpose of applicable laws under this section of the policy, Sensitive Personal Information means:
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of a consumer’s mail, email, and text messages unless we are the business that is the intended recipient of the communication.
- A consumer’s genetic data.
- The processing of biometric information for the purpose of uniquely identifying a consumer.
- Personal information collected and analyzed concerning a consumer’s health.
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
Categories of Sources for Personal Information Collection, Sharing and Disclosure
We obtain the Personal Information directly from you, from your Services activities, from third parties such as event organizers, data providers and publicly available resources.
We share Personal Information with third parties such as our service providers and our affiliates, as further described above under the section titled “Sharing Personal Information with Others” and for the purposes listed there.
In the preceding twelve (12) months we have disclosed the categories of Personal Information as listed above in this section of the policy, for business purposes.
In the preceding twelve (12) months, we have not sold Personal Information or shared Personal Information for cross-context behavioral advertising.
Selling and Sharing Personal Information
We do not sell or share Personal Information as these terms are defined under applicable laws. However, we engage third parties to provide us with services such as analytics, marketing automation and user experience and allow them to collect Personal Information on our website and Services.
We do not knowingly sell or share the Personal Information of consumers under 16 years of age.
The categories of Personal Information collected by these third parties in the preceding 12 months include identifiers, online activities and inferences drawn from such activities.
These third parties do not pay us for collecting such information, but the right granted to them to collect Personal Information may be considered as disclosure for the purpose of sale or share for cross-context behavioral advertising. At any time, you can opt-out of the collection of Personal Information by our service providers.
Your Rights under US Consumer Laws
You are entitled to the following specific rights under the California Consumer Privacy Act (‘CCPA’), the California Privacy Rights Act (‘CPRA’), and other US state consumer privacy acts, as applicable, in relation to Personal Information:
You have a right to know what Personal Information we have collected about you. You can request that we will disclose certain information to you about our collection and use of Personal Information over the past 12 months. After verifying your request, we will disclose to you:
- The categories of Personal Information we collected about you;
- The categories of sources for the Personal Information we collected about you;
- Our business or commercial purpose for collecting that Personal Information;
- The categories of third parties with whom we share Personal Information;
- The specific pieces of Personal Information we collected about you;
- If we disclosed Personal Information for a business purpose, we will provide you with a list which will identify the Personal Information categories that each category of recipient obtained.
You have a right to correct inaccurate Personal Information that we maintain about you.
You have a right to delete Personal Information that we have collected from you, subject to certain exceptions.
We do not hold identifying details of every user of our Service, website, and our other online assets. In these cases, you can restrict the ‘sale’ or ‘share’ of Personal Information by opting-out of receiving cookies from the relevant third parties.
Opt-out cookies installed on your browser to signal your opt-out request may only apply to the specific device and browser that you have used to request the opt-out. If you use another device or browser, or if you delete cookies through your browser settings, we may automatically prompt the cookies consent notice when you revisit our Services, website or other online assets.
If you would like to maintain your opt-out status with other devices or browsers that you use, please use your browser setting to block cookies, or otherwise reject the cookies when you are prompted with the cookie consent notice.
If we hold such information, we will use and disclose it for reasons under applicable law that do not require us to provide you a right to limit the use of the Sensitive Personal Information. That said, you can contact our privacy team at: privacy@Cloudinary.com with requests or inquiries related to Sensitive Personal Information that may reside on our systems.
We will not discriminate against you and you will not be retaliated against because you have requested to exercise any of the rights under this section of the policy, including, but not limited to, by:
- Denying you from goods or Services.
- Charging different prices or rates for the Services, including through the use of discounts or other benefits or imposing penalties.
- Providing a different level or quality of the Services to you.
- Suggesting that you will receive a different price or rate for the services or a different level or quality of the Services.
Limit the Use of Sensitive Personal Information
As further provided above, we do not collect Sensitive Personal Information, we do not infer characteristics from Sensitive Personal Information and therefore we do not expect you to request us to limit the use of such information.
Requests to Exercise Your Rights
Please submit your request to us by sending an email to our privacy team at: email@example.com.
Only you or a person authorized to act on your behalf, may make a request related to Personal Information.
When you send the request on your own behalf, we will ask you for additional identifying information, apart from your name and email address, to ensure that you are who you claim to be.
If you ask someone else to exercise your rights for you (an ‘authorized agent’), we will need to receive from the authorized agent a signed permission by you demonstrating that you have authorized that agent to act on your behalf, or a power of attorney that meets the requirements under applicable laws. We will make an effort to verify the identity of your authorized agent and will not share Personal Information with your authorized agent without receiving the signed permission and verifying the identity of your authorized agent.
A request for access can be made by you only twice within a 12-month period.
We cannot respond to your request or provide you with the requested Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use the Personal Information provided in your request to verify your identity or authority to make the request.
We will do our best to respond to your request within 45 days of its receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing. If you do not have an account with us, we will deliver our written response by mail or electronically.
Any disclosures that we provide will only cover the 12-month period preceding receipt of your request.
The response we provide will also explain the reasons for our inability to comply with your request, if applicable.
We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such decision and provide you with a cost estimate before processing further your request.
Last updated: October 10, 2023